Importing Existing Keys and SSL Certificates Into Apache Tomcat

I rarely use Tomcat, but one of my clients is a Java guy and, as makes logical sense, uses Tomcat to serve the applications he writes. One of which required an SSL certificate. It’s no problem to create a new key, CSR, and import the certificate and certificate authority chains, but what if we already have an existing key and certificate for the same domain?

In our case, we had Apache serving the non-application stuff (in PHP, natch) on ports 80 and 443, with Tomcat on 8000 and 8443 (take that, Plesk!), and already had a certificate issued for the domain on the Apache side. Since the stuff used by Apache was in PEM format, I’ve added one of the steps required to convert it to PKCS12, which is what we’ll use for the Java keystore. These instructions are taken from a CentOS box, so you may need to make some modifications for other operating systems. It’s only here to serve as a guideline (and for my own future reference, primarily, because I know damned well I’ll forget again next year).

First, we need to concatenate the key, certificate (granted us by the CA) and the CA bundle into one single file. This is done most simply like so:cat your_domain.key your_domain.crt your_ca_bundle.crt > your_domain.key_crt_bundle.pem

Create a password for the resultant PKCS12 file, and remember the password for a moment. Because you’ll need it when you import this PKCS12 into your Java keystore using the following command:keytool -importkeystore -srckeystore your_domain.key_crt_bundle.p12 \
-srcstoretype pkcs12 -destkeystore your_domain.key_crt_bundle.jks -deststoretype jks

You’ll need to create a new password for the keystore, and then enter the password for the PKCS12 you created two steps back.

Then, edit your Tomcat server.xml file and define the full path and filename of the newly-created keystore, as well as your keystore’s password. In our case, the default location was /etc/tomcat6/server.xml. If you don’t know how to configure Tomcat6 for SSL at all, that’s beyond the scope of this particular post, and you will need to do some research. Also, do not pass GO!. Do not collect $200. And may God have mercy on your soul.

Finally, restart Tomcat doing the good ol’-fashioned service tomcat6 restart (or equivalent), and you should be good to go. And, if not…. sucks to be you.